Hint for HELP

@ackback said:

@Ammit said:
Any hints for Priv Esec looked at searchsploit, keep getting an error on execution

./xxxxx
error invalid argument

executing from within a reverse python shell
i’m getting same message, did you found a solution ?

I did and I a not sure why this caused and issue but when I uploaded a web shell i was using the usual p0wny shell script and upgrading that to a reverse python shell.

However the exploit didnt like this so I used the standard php reverse shell with kali and caught it with netcat. Doing it this way allowed me to fire off the exploit with no problems.

@Pinkbunnyman , you stated there is a storm of exploits out there, agreed, however, for someone rather new to exploit resourcing, where might I go outside of Exploit-DB to find some home made stuff to learn with?

Interesting box. Sometimes you spend the time searching for what it was already found :D.

Finally scored ROOT with special thanks to @manick69 and @Pinkbunnyman for both of your assistance on learning not the answers but how to get them! Thanks Gents!

USER: Initial foothold seems as though, for someone with better know how than me, would be pretty straight forward as all avenues are available for you. HINT: Don’t forget MSploit is your friend and can assist you!

ROOT: I tried to over think this process instead of remembering that certain programs are quite literally built to help you out with this! HINT: RECON and Execute!

Good Luck all and feel free to PM me for any other pointers that you may need for this box specifically.

@cymtrick, thanks for the machine!

User was a bit sloppy, but root was pretty easy. Didn’t touched N****s, did the easy way.

There’s plenty of hints in this thread and I feel saying anything more would be an overkill.

Spoiler Removed

Rooted this box, learnt new things, root was quickly!

rooted the box , after trying many shells .

hint: try a lot of shells , never give up

Hello guys I don’t know how do this, i found Apache and NodeJs in respective ports, i tried with bruteforce but not lucky, any hints please

This looks like a simple .p## upload exploit. Not getting the time issue. Looked at the source code and get the error message is not a biggie. The exploit I have is suppose get passed any timing issues. Can anyone PM me for a push in the right direction. I’m on user still.

@isuckathacking said:
I used the blind SQL way to get administrator in the webapp. Is there a particular method besides similar to the easy way to go after a shell?

If the easy way didn’t exist as a vuln but the sql injection still did should I expect to find a way to shell?

I want to make sure I practice the intended ways fully.

Same question here, I’ve also used Blind SQL, got admin for the webapp and I’m not finding any options besides the easy way to get the shell.
That would make the whole SQL thing not really necessary :frowning:

Did anyone found another way?

@nand0 said:

@isuckathacking said:
I used the blind SQL way to get administrator in the webapp. Is there a particular method besides similar to the easy way to go after a shell?

If the easy way didn’t exist as a vuln but the sql injection still did should I expect to find a way to shell?

I want to make sure I practice the intended ways fully.

Same question here, I’ve also used Blind SQL, got admin for the webapp and I’m not finding any options besides the easy way to get the shell.
That would make the whole SQL thing not really necessary :frowning:

Did anyone found another way?

I used the other exploit on exploit-db which I believe is the intended way… after you get admin but I don’t have user yet. There are posts in here talking about a total different approach though.

@GoneRogue2018 said:

@ispartan99 said:
Here are my findings:

  • I’ve got the high port msg. Here, I’m not able to understand how can we get the creds for the authentication
  • I’ve got the tict system portal but the problem is that I’m not able to upload the P shell and if I have successfully uploaded it then maybe I’m not able to find the correct path of the uploaded file (it is somewhat related to the ‘tic**ts’ directory?!).
  • There’s a lot of hints where it shows that we do something with the time in the exploit code, here I cannot understand what should I do.

Can anyone help me with where I am now?! It will be really appreciated.

DM me.

Same for me. If you figure it out, or someone will to share a hint, DM me. Thank you.

same with me, any DM will be appreciated as I am a newbie here

I am able to upload shell but when I go to /s******/u****s/t*****s it shows default page of apache

I am trying harder, think I need to try harder-er but…now on day 2 w user, suggested exploit works perfectly as long as the machine isn’t too hammered …any tips/hints for that sweet root would be appreciated (that or tips for accessing the info on that high numbered port) --I know it’s supposedly easy…really been after this hard for a long time, I’m stuck.

@legat0 said:
I am trying harder, think I need to try harder-er but…now on day 2 w user, suggested exploit works perfectly as long as the machine isn’t too hammered …any tips/hints for that sweet root would be appreciated (that or tips for accessing the info on that high numbered port) --I know it’s supposedly easy…really been after this hard for a long time, I’m stuck.

what’s the most basic priv esc enumeration you can do? Real step one stuff.

@WiseGuy said:
I have been stuck on User for days. I have the username and password but cant find where to use them.

Any nudge on the parameters used for getting the username n password.?

I have tried the file upload stuff but couldn’t get ahead. I went to the github for helpdeskz n tried to access the/s******/u*****/t****** but leads to Apache page.

Stuck on user, trying HelpDesk Way. I’m attempting to find the php shell uploaded, i’m also pretty sure that the directory in which the file will be uploaded is /st/u*/t*****s/. I’ve also red the github repo trying to figure out how files are managed, Nevertheless can’t even display on the website a previous uploaded jpg file. Any hint will be appreciated.

-Edit, Finally found the way to found uploaded files, searching now a way to RCE php. It always showing the jpg image even if code is embedded in exif

@iainpbsec said:
what’s the most basic priv esc enumeration you can do? Real step one stuff.

Thanks @iainpbsec, got it. not too bad once I got my head on straight (and a hint!)

Got user shell
Have do hash reverse on some interesting service , search for suid+sgid , running service exploit , the .b**********y seem interesting, but still no luck

EDIT:
Got root after a day try
just try and error…